Operation Dragon Whistle hides malware in nested macOS-like folders to target Changzhou University

Operation Dragon Whistle is a targeted phishing campaign against Chinese academia that hides Windows malware inside nested folders designed to look like macOS metadata directories. The campaign used a fake Changzhou University fitness testing notice to trick victims into opening a malicious ZIP file.

The Seqrite Labs report says the archive contained a double-extension LNK file disguised as a PDF document. When opened, the shortcut launched a VBScript loader, abused Bandizip for DLL side-loading, and deployed an in-memory Cobalt Strike beacon.

The attack stands out because it combines a believable university-themed lure with several defense evasion layers. The visible file looks like official paperwork, while the real payload sits deeper inside the archive and runs through trusted Windows and application behavior.

How the phishing lure worked

The campaign used an email written to resemble official university administrative communication. It referenced China’s National Student Physical Fitness and Health Standards testing, a theme that could create urgency for students and staff because fitness testing can affect graduation or administrative compliance.

The ZIP attachment used a Chinese filename that made it look like the final version of a Changzhou University testing notice. After extraction, the user saw what appeared to be a PDF document, but the clickable file was actually an LNK shortcut with a PDF-style name and icon.

A SOC Prime summary of the campaign also notes that UNG0002 used a malicious ZIP archive, a double-extension LNK file, VBScript, Bandizip side-loading, and Cobalt Strike command-and-control activity.

Stage	Component	Role in the attack
Initial lure	Phishing email	Impersonates university communication about fitness testing.
Attachment	Malicious ZIP file	Contains the fake PDF shortcut and hidden payload folders.
User trigger	Double-extension LNK file	Looks like a PDF but starts the execution chain.
Script stage	chromedo.vbs	Opens the decoy PDF and launches Bandizip.exe.
Side-loading stage	Bandizip.exe and ark.x64.dll	Loads the malicious DLL under a legitimate process.
Final payload	Cobalt Strike beacon	Runs in memory and connects to command-and-control infrastructure.

Nested macOS-like folders hid the real payload

The ZIP file used four layers of nested folders that mimicked macOS metadata-style directories. This structure helped bury the actual payload files below the visible lure.

That design can reduce the chance that a user, help desk analyst, or simple archive viewer notices the dangerous components. It can also make automated scanning weaker if the scanner does not inspect deep archive paths with enough depth.

This trick does not exploit macOS itself. It uses macOS-like folder naming as camouflage inside a Windows malware delivery chain.

The LNK file launched the infection chain

The victim’s first interaction was the fake PDF shortcut. The LNK file used a PDF-looking name and icon to hide its real purpose.

When clicked, it abused explorer.exe to execute the VBScript payload hidden several folders deep. This living-off-the-land step helps the attack look less suspicious because the action begins through a normal Windows process instead of a clearly malicious executable.

The VBScript file then constructed paths to the decoy PDF and the Bandizip executable. It opened the real-looking document first so the victim focused on the university notice while the malicious track continued in the background.

Bandizip helped load the malicious DLL

The next stage used DLL side-loading. The attackers placed a legitimate Bandizip.exe file in the hidden folder structure, then placed a malicious DLL named ark.x64.dll next to it.

When Bandizip.exe started, Windows loaded the attacker-controlled DLL from the local directory. This allowed malicious code to run under the context of a trusted application.

The DLL exported a function named CreateArk. Seqrite found that this function performed anti-debugging checks, reconstructed hidden strings at runtime, decrypted payload content, and prepared the final in-memory execution stage.

Anti-analysis checks blocked researchers and sandboxes

The malicious DLL checked for debugging, network analysis, and monitoring tools before continuing. The blacklist included tools such as Wireshark, Procmon, Tcpview, Dumpcap, Fiddler, and Charles.

If it found a matching process, the malware diverted execution and terminated. This reduced the chance that researchers could observe the full infection chain in a controlled lab.

• Debugger checks helped detect analysis environments.
• Process enumeration looked for monitoring and reverse engineering tools.
• Runtime decryption hid sensitive strings from static analysis.
• In-memory loading reduced the number of obvious payload files on disk.
• AMSI and ETW interference reduced runtime scanning and logging visibility.

Cobalt Strike gave attackers post-exploitation access

The final stage deployed a Cobalt Strike beacon in memory. Cobalt Strike is a legitimate security testing framework, but threat actors often use cracked or abused copies for command-and-control, lateral movement, credential access, and post-exploitation activity.

The DFIR Report Cobalt Strike guide explains that threat actors often use Cobalt Strike as a second-stage tool after an initial malware loader gives them access to a victim system.

In Operation Dragon Whistle, Cobalt Strike gave the operators a flexible remote access path after the LNK, VBScript, and DLL side-loading stages had already completed.

Seqrite links the campaign to UNG0002

Seqrite attributes Operation Dragon Whistle to UNG0002 with medium-high confidence. The attribution is based on overlap with a previous campaign called Operation Cobalt Whisper, which also used malicious LNK files and obfuscated VBScript.

The second Seqrite analysis point is infrastructure. Researchers said the C2 infrastructure resolved to lysander.asia at 60.205.186.162 and was hosted on Alibaba Cloud, with DNS and registration signals tied to Chinese domestic service providers.

That regional infrastructure choice can make blocking harder. Defenders may hesitate to block an entire cloud or ASN range because the same providers host many legitimate services.

Why the campaign focused on academia

Universities offer attackers a useful mix of targets. They have large user populations, mixed security maturity, many shared files, research data, student records, and users who often open administrative attachments quickly.

A fitness testing notice also fits the environment. Students and staff may expect forms, schedules, policy notices, and PDF files from university offices, especially when the topic appears tied to graduation or compliance.

This makes the lure stronger than a generic invoice or delivery notice. It speaks directly to the target’s daily environment and expected institutional pressure.

What defenders should monitor

Security teams should treat ZIP files containing LNK files as high risk, especially when they arrive through email and use official-looking institutional themes.

They should also monitor for Bandizip launching from unusual archive extraction paths, DLLs loaded from user-writable folders, and VBScript execution that follows an LNK click.

• ZIP attachments containing LNK files disguised as documents.
• Explorer.exe launching VBScript from nested archive paths.
• chromedo.vbs or similar scripts opening a decoy document and launching another binary.
• Bandizip.exe running from temporary, hidden, or user-writable folders.
• ark.x64.dll or unknown DLLs placed next to legitimate executables.
• In-memory Cobalt Strike behavior and suspicious beacon traffic.
• Connections to 60.205.186.162 or related campaign infrastructure.

Detection should focus on the full chain

Blocking one hash may not stop future versions of the campaign. The attacker can rename files, rebuild the ZIP, change the C2, or adjust the script while keeping the same technique.

Detection should focus on behavior. A fake PDF LNK, hidden VBScript, Bandizip side-loading, unknown DLL loading, anti-analysis checks, and Cobalt Strike beaconing together form a stronger signal than any single file name.

The SOC Prime campaign summary highlights the same high-level chain, which gives defenders a useful structure for building SIEM and EDR detections around the sequence rather than isolated artifacts.

Detection layer	Behavior to watch
Email gateway	Archive attachments containing LNK files or deeply nested folders.
Endpoint	Explorer launching scripts from extracted archive paths.
Application control	Bandizip or other utilities running from non-standard locations.
DLL monitoring	Unknown DLLs loaded beside trusted executables.
Memory scanning	Beacon-like behavior without a clear executable payload on disk.
Network monitoring	Suspicious web protocol C2 traffic to campaign infrastructure.

Incident response steps for affected systems

If a user opened the malicious archive, responders should isolate the endpoint and preserve the original email, ZIP file, extracted folder structure, and endpoint telemetry.

Teams should collect process trees, loaded module data, script execution logs, command-line history, browser and email artifacts, and network connections. Memory capture may help if the final beacon ran only in memory.

• Isolate the endpoint from the network.
• Preserve the phishing email and ZIP attachment.
• Check for execution of the fake PDF LNK file.
• Review script activity linked to chromedo.vbs.
• Identify Bandizip.exe execution from unusual folders.
• Look for ark.x64.dll and other nearby payload files.
• Review outbound traffic to 60.205.186.162 and lysander.asia.
• Hunt for Cobalt Strike indicators across nearby systems.

How universities can reduce exposure

Academic institutions should harden email filtering for archive files, especially ZIP attachments containing LNK, VBS, executable, or DLL content. They should also train users to treat shortcut files disguised as PDFs as suspicious.

Endpoint rules should block or alert when LNK files launch scripts from extracted archive paths. Application control can also prevent trusted utilities from loading DLLs in user-writable folders.

For Cobalt Strike, the DFIR Report recommends paying close attention to post-exploitation behavior such as process injection, named pipes, beacon traffic, discovery commands, and credential access attempts.

The broader lesson from Operation Dragon Whistle

Operation Dragon Whistle shows how threat actors can turn a simple ZIP attachment into a multi-stage infection chain. The archive looks like a document delivery method, but it hides shortcut execution, script orchestration, side-loading, anti-analysis checks, and in-memory beaconing.

The campaign also shows why context matters in phishing defense. A university-themed lure written around a real administrative concern can outperform generic malware emails because the victim has a reason to open it.

The safest approach is layered defense: inspect archive contents deeply, block risky file types, monitor side-loading behavior, detect in-memory Cobalt Strike activity, and teach users to report unexpected ZIP files even when the topic looks official.

FAQ